2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 * Handles SAML 2.0 NameID management protocol messages.
24 #include "exceptions.h"
25 #include "Application.h"
26 #include "ServiceProvider.h"
27 #include "handler/AbstractHandler.h"
28 #include "handler/RemotedHandler.h"
29 #include "util/SPConstants.h"
32 # include "SessionCache.h"
33 # include "security/SecurityPolicy.h"
34 # include "util/TemplateParameters.h"
36 # include <saml/SAMLConfig.h>
37 # include <saml/saml2/core/Protocols.h>
38 # include <saml/saml2/metadata/EndpointManager.h>
39 # include <saml/saml2/metadata/MetadataCredentialCriteria.h>
40 # include <xmltooling/util/URLEncoder.h>
41 using namespace opensaml::saml2;
42 using namespace opensaml::saml2p;
43 using namespace opensaml::saml2md;
44 using namespace opensaml;
47 using namespace shibsp;
48 using namespace xmltooling;
53 #if defined (_MSC_VER)
54 #pragma warning( push )
55 #pragma warning( disable : 4250 )
58 class SHIBSP_DLLLOCAL SAML2NameIDMgmt : public AbstractHandler, public RemotedHandler
61 SAML2NameIDMgmt(const DOMElement* e, const char* appId);
62 virtual ~SAML2NameIDMgmt() {
64 if (SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess)) {
66 XMLString::release(&m_outgoing);
67 for_each(m_encoders.begin(), m_encoders.end(), cleanup_pair<const XMLCh*,MessageEncoder>());
72 void receive(DDF& in, ostream& out);
73 pair<bool,long> run(SPRequest& request, bool isHandler=true) const;
76 void generateMetadata(SPSSODescriptor& role, const char* handlerURL) const {
77 const char* loc = getString("Location").second;
78 string hurl(handlerURL);
82 auto_ptr_XMLCh widen(hurl.c_str());
83 ManageNameIDService* ep = ManageNameIDServiceBuilder::buildManageNameIDService();
84 ep->setLocation(widen.get());
85 ep->setBinding(getXMLString("Binding").second);
86 role.getManageNameIDServices().push_back(ep);
87 role.addSupport(samlconstants::SAML20P_NS);
92 pair<bool,long> doRequest(
93 const Application& application, const char* session_id, const HTTPRequest& httpRequest, HTTPResponse& httpResponse
97 bool stronglyMatches(const XMLCh* idp, const XMLCh* sp, const saml2::NameID& n1, const saml2::NameID& n2) const;
98 bool notifyBackChannel(const Application& application, const char* requestURL, const NameID& nameid, const NewID* newid) const;
100 pair<bool,long> sendResponse(
101 const XMLCh* requestID,
103 const XMLCh* subcode,
105 const char* relayState,
106 const RoleDescriptor* role,
107 const Application& application,
108 HTTPResponse& httpResponse,
113 MessageDecoder* m_decoder;
115 vector<const XMLCh*> m_bindings;
116 map<const XMLCh*,MessageEncoder*> m_encoders;
120 #if defined (_MSC_VER)
121 #pragma warning( pop )
124 Handler* SHIBSP_DLLLOCAL SAML2NameIDMgmtFactory(const pair<const DOMElement*,const char*>& p)
126 return new SAML2NameIDMgmt(p.first, p.second);
130 SAML2NameIDMgmt::SAML2NameIDMgmt(const DOMElement* e, const char* appId)
131 : AbstractHandler(e, Category::getInstance(SHIBSP_LOGCAT".NameIDMgmt.SAML2"))
133 ,m_role(samlconstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME), m_decoder(NULL), m_outgoing(NULL)
137 if (SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess)) {
138 SAMLConfig& conf = SAMLConfig::getConfig();
140 // Handle incoming binding.
141 m_decoder = conf.MessageDecoderManager.newPlugin(getString("Binding").second,make_pair(e,shibspconstants::SHIB2SPCONFIG_NS));
142 m_decoder->setArtifactResolver(SPConfig::getConfig().getArtifactResolver());
144 if (m_decoder->isUserAgentPresent()) {
145 // Handle front-channel binding setup.
146 pair<bool,const XMLCh*> outgoing = getXMLString("outgoingBindings", m_configNS.get());
147 if (outgoing.first) {
148 m_outgoing = XMLString::replicate(outgoing.second);
149 XMLString::trim(m_outgoing);
152 // No override, so we'll install a default binding precedence.
153 string prec = string(samlconstants::SAML20_BINDING_HTTP_REDIRECT) + ' ' + samlconstants::SAML20_BINDING_HTTP_POST + ' ' +
154 samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN + ' ' + samlconstants::SAML20_BINDING_HTTP_ARTIFACT;
155 m_outgoing = XMLString::transcode(prec.c_str());
159 XMLCh* start = m_outgoing;
160 while (start && *start) {
161 pos = XMLString::indexOf(start,chSpace);
163 *(start + pos)=chNull;
164 m_bindings.push_back(start);
166 auto_ptr_char b(start);
167 MessageEncoder * encoder = conf.MessageEncoderManager.newPlugin(b.get(),make_pair(e,shibspconstants::SHIB2SPCONFIG_NS));
168 m_encoders[start] = encoder;
169 m_log.debug("supporting outgoing front-channel binding (%s)", b.get());
171 catch (exception& ex) {
172 m_log.error("error building MessageEncoder: %s", ex.what());
175 start = start + pos + 1;
181 MessageEncoder* encoder = conf.MessageEncoderManager.newPlugin(
182 getString("Binding").second,make_pair(e,shibspconstants::SHIB2SPCONFIG_NS)
184 m_encoders.insert(pair<const XMLCh*,MessageEncoder*>(NULL, encoder));
189 string address(appId);
190 address += getString("Location").second;
191 setAddress(address.c_str());
194 pair<bool,long> SAML2NameIDMgmt::run(SPRequest& request, bool isHandler) const
196 // Get the session_id in case this is a front-channel request.
197 pair<string,const char*> shib_cookie = request.getApplication().getCookieNameProps("_shibsession_");
198 const char* session_id = request.getCookie(shib_cookie.first.c_str());
200 SPConfig& conf = SPConfig::getConfig();
201 if (conf.isEnabled(SPConfig::OutOfProcess)) {
202 // When out of process, we run natively and directly process the message.
203 return doRequest(request.getApplication(), session_id, request, request);
206 // When not out of process, we remote all the message processing.
207 DDF out,in = wrap(request, NULL, true);
208 DDFJanitor jin(in), jout(out);
210 in.addmember("session_id").string(session_id);
211 out=request.getServiceProvider().getListenerService()->send(in);
212 return unwrap(request, out);
216 void SAML2NameIDMgmt::receive(DDF& in, ostream& out)
219 const char* aid=in["application_id"].string();
220 const Application* app=aid ? SPConfig::getConfig().getServiceProvider()->getApplication(aid) : NULL;
222 // Something's horribly wrong.
223 m_log.error("couldn't find application (%s) for NameID mgmt", aid ? aid : "(missing)");
224 throw ConfigurationException("Unable to locate application for NameID mgmt, deleted?");
227 // Unpack the request.
229 DDFJanitor jout(ret);
230 auto_ptr<HTTPRequest> req(getRequest(in));
231 auto_ptr<HTTPResponse> resp(getResponse(ret));
233 // Since we're remoted, the result should either be a throw, which we pass on,
234 // a false/0 return, which we just return as an empty structure, or a response/redirect,
235 // which we capture in the facade and send back.
236 doRequest(*app, in["session_id"].string(), *req.get(), *resp.get());
240 pair<bool,long> SAML2NameIDMgmt::doRequest(
241 const Application& application, const char* session_id, const HTTPRequest& request, HTTPResponse& response
245 SessionCache* cache = application.getServiceProvider().getSessionCache();
247 // Locate policy key.
248 pair<bool,const char*> policyId = getString("policyId", m_configNS.get()); // namespace-qualified if inside handler element
250 policyId = application.getString("policyId"); // unqualified in Application(s) element
252 // Access policy properties.
253 const PropertySet* settings = application.getServiceProvider().getPolicySettings(policyId.second);
254 pair<bool,bool> validate = settings->getBool("validate");
256 // Lock metadata for use by policy.
257 Locker metadataLocker(application.getMetadataProvider());
259 // Create the policy.
260 shibsp::SecurityPolicy policy(application, &m_role, validate.first && validate.second);
262 // Decode the message.
264 auto_ptr<XMLObject> msg(m_decoder->decode(relayState, request, policy));
265 const ManageNameIDRequest* mgmtRequest = dynamic_cast<ManageNameIDRequest*>(msg.get());
267 if (!policy.isAuthenticated())
268 throw SecurityPolicyException("Security of ManageNameIDRequest not established.");
270 // Message from IdP to change or terminate a NameID.
272 // If this is front-channel, we have to have a session_id to use already.
273 if (m_decoder->isUserAgentPresent() && !session_id) {
274 m_log.error("no active session");
276 mgmtRequest->getID(),
277 StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "No active session found in request.",
279 policy.getIssuerMetadata(),
286 bool ownedName = false;
287 NameID* nameid = mgmtRequest->getNameID();
289 // Check for EncryptedID.
290 EncryptedID* encname = mgmtRequest->getEncryptedID();
292 CredentialResolver* cr=application.getCredentialResolver();
294 m_log.warn("found encrypted NameID, but no decryption credential was available");
296 Locker credlocker(cr);
297 auto_ptr<MetadataCredentialCriteria> mcc(
298 policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
301 auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getXMLString("entityID").second,mcc.get()));
302 nameid = dynamic_cast<NameID*>(decryptedID.get());
305 decryptedID.release();
308 catch (exception& ex) {
309 m_log.error(ex.what());
315 // No NameID, so must respond with an error.
316 m_log.error("NameID not found in request");
318 mgmtRequest->getID(),
319 StatusCode::REQUESTER, StatusCode::UNKNOWN_PRINCIPAL, "NameID not found in request.",
321 policy.getIssuerMetadata(),
324 m_decoder->isUserAgentPresent()
328 auto_ptr<NameID> namewrapper(ownedName ? nameid : NULL);
330 // For a front-channel request, we have to match the information in the request
331 // against the current session.
332 EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
334 if (!cache->matches(session_id, entity, *nameid, NULL, application)) {
336 mgmtRequest->getID(),
337 StatusCode::REQUESTER, StatusCode::REQUEST_DENIED, "Active session did not match NameID mgmt request.",
339 policy.getIssuerMetadata(),
348 // Determine what's happening...
349 bool ownedNewID = false;
351 if (!mgmtRequest->getTerminate()) {
352 // Better be a NewID in there.
353 newid = mgmtRequest->getNewID();
355 // Check for NewEncryptedID.
356 NewEncryptedID* encnewid = mgmtRequest->getNewEncryptedID();
358 CredentialResolver* cr=application.getCredentialResolver();
360 m_log.warn("found encrypted NewID, but no decryption credential was available");
362 Locker credlocker(cr);
363 auto_ptr<MetadataCredentialCriteria> mcc(
364 policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
367 auto_ptr<XMLObject> decryptedID(encnewid->decrypt(*cr,application.getXMLString("entityID").second,mcc.get()));
368 newid = dynamic_cast<NewID*>(decryptedID.get());
371 decryptedID.release();
374 catch (exception& ex) {
375 m_log.error(ex.what());
382 // No NewID, so must respond with an error.
383 m_log.error("NewID not found in request");
385 mgmtRequest->getID(),
386 StatusCode::REQUESTER, NULL, "NewID not found in request.",
388 policy.getIssuerMetadata(),
391 m_decoder->isUserAgentPresent()
396 auto_ptr<NewID> newwrapper(ownedNewID ? newid : NULL);
398 // TODO: maybe support in-place modification of sessions?
400 vector<string> sessions;
402 time_t expires = logoutRequest->getNotOnOrAfter() ? logoutRequest->getNotOnOrAfterEpoch() : 0;
403 cache->logout(entity, *nameid, &indexes, expires, application, sessions);
405 // Now we actually terminate everything except for the active session,
406 // if this is front-channel, for notification purposes.
407 for (vector<string>::const_iterator sit = sessions.begin(); sit != sessions.end(); ++sit)
408 if (session_id && strcmp(sit->c_str(), session_id))
409 cache->remove(sit->c_str(), application);
411 catch (exception& ex) {
412 m_log.error("error while logging out matching sessions: %s", ex.what());
414 logoutRequest->getID(),
415 StatusCode::RESPONDER, NULL, ex.what(),
417 policy.getIssuerMetadata(),
420 m_decoder->isUserAgentPresent()
425 // Do back-channel app notifications.
426 // Not supporting front-channel due to privacy fears.
427 bool worked = notifyBackChannel(application, request.getRequestURL(), *nameid, newid);
430 mgmtRequest->getID(),
431 worked ? StatusCode::SUCCESS : StatusCode::RESPONDER,
435 policy.getIssuerMetadata(),
438 m_decoder->isUserAgentPresent()
442 // A ManageNameIDResponse completes an SP-initiated sequence, currently not supported.
444 const ManageNameIDResponse* mgmtResponse = dynamic_cast<ManageNameIDResponse*>(msg.get());
446 if (!policy.isAuthenticated()) {
447 SecurityPolicyException ex("Security of ManageNameIDResponse not established.");
448 if (policy.getIssuerMetadata())
449 annotateException(&ex, policy.getIssuerMetadata()); // throws it
452 checkError(mgmtResponse, policy.getIssuerMetadata()); // throws if Status doesn't look good...
454 // Return template for completion.
455 return sendLogoutPage(application, response, false, "Global logout completed.");
459 FatalProfileException ex("Incoming message was not a samlp:ManageNameIDRequest.");
460 if (policy.getIssuerMetadata())
461 annotateException(&ex, policy.getIssuerMetadata()); // throws it
463 return make_pair(false,0); // never happen, satisfies compiler
465 throw ConfigurationException("Cannot process NameID mgmt message using lite version of shibsp library.");
471 bool SAML2NameIDMgmt::stronglyMatches(const XMLCh* idp, const XMLCh* sp, const saml2::NameID& n1, const saml2::NameID& n2) const
473 if (!XMLString::equals(n1.getName(), n2.getName()))
476 const XMLCh* s1 = n1.getFormat();
477 const XMLCh* s2 = n2.getFormat();
479 s1 = saml2::NameID::UNSPECIFIED;
481 s2 = saml2::NameID::UNSPECIFIED;
482 if (!XMLString::equals(s1,s2))
485 s1 = n1.getNameQualifier();
486 s2 = n2.getNameQualifier();
491 if (!XMLString::equals(s1,s2))
494 s1 = n1.getSPNameQualifier();
495 s2 = n2.getSPNameQualifier();
500 if (!XMLString::equals(s1,s2))
506 pair<bool,long> SAML2NameIDMgmt::sendResponse(
507 const XMLCh* requestID,
509 const XMLCh* subcode,
511 const char* relayState,
512 const RoleDescriptor* role,
513 const Application& application,
514 HTTPResponse& httpResponse,
518 // Get endpoint and encoder to use.
519 const EndpointType* ep = NULL;
520 const MessageEncoder* encoder = NULL;
522 const IDPSSODescriptor* idp = dynamic_cast<const IDPSSODescriptor*>(role);
523 for (vector<const XMLCh*>::const_iterator b = m_bindings.begin(); idp && b!=m_bindings.end(); ++b) {
524 if (ep=EndpointManager<ManageNameIDService>(idp->getManageNameIDServices()).getByBinding(*b)) {
525 map<const XMLCh*,MessageEncoder*>::const_iterator enc = m_encoders.find(*b);
526 if (enc!=m_encoders.end())
527 encoder = enc->second;
531 if (!ep || !encoder) {
532 auto_ptr_char id(dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID());
533 m_log.error("unable to locate compatible NIM service for provider (%s)", id.get());
534 MetadataException ex("Unable to locate endpoint at IdP ($entityID) to send ManageNameIDResponse.");
535 annotateException(&ex, role); // throws it
539 encoder = m_encoders.begin()->second;
543 auto_ptr<ManageNameIDResponse> nim(ManageNameIDResponseBuilder::buildManageNameIDResponse());
544 nim->setInResponseTo(requestID);
546 const XMLCh* loc = ep->getResponseLocation();
548 loc = ep->getLocation();
549 nim->setDestination(loc);
551 Issuer* issuer = IssuerBuilder::buildIssuer();
552 nim->setIssuer(issuer);
553 issuer->setName(application.getXMLString("entityID").second);
554 fillStatus(*nim.get(), code, subcode, msg);
556 auto_ptr_char dest(nim->getDestination());
558 long ret = sendMessage(*encoder, nim.get(), relayState, dest.get(), role, application, httpResponse);
559 nim.release(); // freed by encoder
560 return make_pair(true,ret);
563 #include "util/SPConstants.h"
564 #include <xmltooling/impl/AnyElement.h>
565 #include <xmltooling/soap/SOAP.h>
566 #include <xmltooling/soap/SOAPClient.h>
567 using namespace soap11;
569 static const XMLCh NameIDNotification[] = UNICODE_LITERAL_18(N,a,m,e,I,D,N,o,t,i,f,i,c,a,t,i,o,n);
571 class SHIBSP_DLLLOCAL SOAPNotifier : public soap11::SOAPClient
575 virtual ~SOAPNotifier() {}
577 void prepareTransport(SOAPTransport& transport) {
578 transport.setVerifyHost(false);
583 bool SAML2NameIDMgmt::notifyBackChannel(
584 const Application& application, const char* requestURL, const NameID& nameid, const NewID* newid
587 unsigned int index = 0;
588 string endpoint = application.getNotificationURL(requestURL, false, index++);
589 if (endpoint.empty())
592 auto_ptr<Envelope> env(EnvelopeBuilder::buildEnvelope());
593 Body* body = BodyBuilder::buildBody();
595 ElementProxy* msg = new AnyElementImpl(shibspconstants::SHIB2SPNOTIFY_NS, NameIDNotification);
596 body->getUnknownXMLObjects().push_back(msg);
597 msg->getUnknownXMLObjects().push_back(nameid.clone());
599 msg->getUnknownXMLObjects().push_back(newid->clone());
601 msg->getUnknownXMLObjects().push_back(TerminateBuilder::buildTerminate());
605 while (!endpoint.empty()) {
607 soaper.send(*env.get(), SOAPTransport::Address(application.getId(), application.getId(), endpoint.c_str()));
608 delete soaper.receive();
610 catch (exception& ex) {
611 m_log.error("error notifying application of logout event: %s", ex.what());
615 endpoint = application.getNotificationURL(requestURL, false, index++);